Module Name: src
Committed By: sevan
Date: Tue Apr 2 01:50:32 UTC 2019
Added Files:
src/etc/defaults: npf.boot.conf
src/etc/rc.d: npf_boot
Log Message:
Add an initial ruleset and rc script for NPF to protect host during early stage
of boot, similar to what is currently available for PF.
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/etc/defaults/npf.boot.conf
cvs rdiff -u -r0 -r1.1 src/etc/rc.d/npf_boot
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Added files:
Index: src/etc/defaults/npf.boot.conf
diff -u /dev/null src/etc/defaults/npf.boot.conf:1.1
--- /dev/null Tue Apr 2 01:50:32 2019
+++ src/etc/defaults/npf.boot.conf Tue Apr 2 01:50:32 2019
@@ -0,0 +1,37 @@
+# $NetBSD: npf.boot.conf,v 1.1 2019/04/02 01:50:32 sevan Exp $
+#
+# /etc/defaults/npf.boot.conf --
+# initial configuration for npf(4)
+#
+# DO NOT EDIT THIS FILE DIRECTLY; IT MAY BE REPLACED DURING A SYSTEM UPGRADE.
+# EDIT /etc/npf.boot.conf INSTEAD.
+#
+
+
+set bpf.jit off
+
+group default {
+# Default deny.
+block all
+
+# Don't block loopback.
+pass on lo0 all
+
+# Allow outgoing DNS.
+pass stateful out to any port domain
+
+# Allow outgoing ping request, might be used by a DHCP client to validate
+# old (but valid) leases in case it needs to fall back to such a lease
+# (the DHCP server can be down or not responding).
+pass stateful out proto icmp icmp-type echo all
+
+# Allow IPv6 router/neighbor solicitation and advertisement.
+pass out family inet6 proto ipv6-icmp icmp-type rtsol all
+pass in family inet6 proto ipv6-icmp icmp-type rtadv all
+pass out family inet6 proto ipv6-icmp icmp-type neighsol all
+pass in family inet6 proto ipv6-icmp icmp-type neighadv all
+
+# Enable CARP, to avoid spurious failovers.
+pass proto carp all
+
+}
Index: src/etc/rc.d/npf_boot
diff -u /dev/null src/etc/rc.d/npf_boot:1.1
--- /dev/null Tue Apr 2 01:50:32 2019
+++ src/etc/rc.d/npf_boot Tue Apr 2 01:50:32 2019
@@ -0,0 +1,37 @@
+#!/bin/sh
+#
+# $NetBSD: npf_boot,v 1.1 2019/04/02 01:50:32 sevan Exp $
+#
+
+# PROVIDE: npf_boot
+# REQUIRE: root bootconf mountcritlocal tty
+# BEFORE: network
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="npf_boot"
+rcvar="npf"
+start_cmd="npf_boot_start"
+stop_cmd=":"
+
+npf_boot_start()
+{
+ if [ "$autoboot" != "yes" ]; then
+ err 1 "This script should only be executed at boot time."
+ fi
+
+ if [ -f /etc/npf.boot.conf ]; then
+ /sbin/npfctl reload /etc/npf.boot.conf
+ elif [ -f /etc/defaults/npf.boot.conf ]; then
+ /sbin/npfctl reload /etc/defaults/npf.boot.conf
+ else
+ warn "can't load initial npf rules; npf start aborted."
+ stop_boot
+ exit 1
+ fi
+
+ /sbin/npfctl start
+}
+
+load_rc_config $name
+run_rc_command "$1"
